This post doesn’t constitute legal advice. If you want advice on what your business requires to be GDPR compliant, you should consult a lawyer.
The General Data Protection Regulation (GDPR for short) compliance date is coming up at the end of next week, on May 25th to be exact! If you haven't already heard about it, it's definitely time to get informed and take action so your art-based business is compliant with the new regulations.
What is the GDPR?
The GDPR is a data privacy law in the European Union (EU) that aims to protect the privacy of individuals by requiring transparency from any website or company that holds, processes, controls, transfers, or stores data on EU citizens. You don't have to have a physical location in Europe to be effected by the GDPR. If you have sold or plan to sell to people in the EU, you need to know what's happening!
The GDPR generally applies to the collection and processing of personal data. According to Article 4(1), personal data means any information relating to a data subject. An identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as:
- Identification number
- Location data
- Online identifier (such as IP address or cookie ID)
The GDPR stresses amongst other things that any data collected on an individual is to be used only to perform the task they have given permission to perform. For example, if you place a drop ship order with us, you are giving us permission to collect your payment and make and ship a product to your end user. You are not giving us permission to say visit your house or get in touch with your end user to see how they liked the product. We are obligated to collect the minimum amount of information necessary to provide our services.
The GDPR aims to build trust online between individuals and businesses.
You've probably heard it before, but it bears repeating, trust is very hard to gain and very easy to lose! Part of why we are witnessing the rise of the GDPR is because of data breaches within major companies. Consumer confidence is essential for online marketplaces. The GDPR is helping to restore and build that confidence.
It does this by:
1) Requiring clear and easy-to-understand language when it comes to privacy policies and how/what your company collects and why.
2) Straight-forward opt-in procedures for newsletters and other marketing (no sneaky pre-checked boxes!).
3) An easy way to allow or disallow cookies. (Cookies provide a way for the website to recognize you and keep track of your preferences.)
4) The ability to request the data a company holds on an individual and the ability to have it erased.
5) Easily accessible contact information for the company.
6) Disclosure upon request of 3rd party services used by your website or online store if they are being transferred personal information.
This last one is important since it applies in our working relationship!
If you are using our drop shipping services either by manually entering orders on our site, or sending us order via integrations then you are effectively transferring data from your clients to us. We, in turn, are collecting your personal data via your orders, information you input into your account, and when you have an online store on Art of Where.
That means we're all in this together! Let's go over a few things you can do for your customers as well as what we are doing to ensure compliance on our part.
What you can do right away for your online art-based business:
1) Audit your data collection process. The word audit doesn't give people an especially good feeling but what this basically means is know what data you are collecting, why you are collecting it, how you are using it, if you are sharing it with anyone else, if you have permission to have it, and where, why & for how long are you storing it. For your website, map out where you collect information, what it is, and if it's transfered to anyone after you collect it. This will help you understand how the GDPR will apply to you.
2) If you have a newsletter, make sure your users are clearly asked for consent before they are put on your mailing list. Have a way, both in your newsletters (usually in the footer) and in the account (if you allow user accounts) to unsubscribe from the list. Keep a record of how and when a customer gave you permission to be on your mailing list. If you work with an email client like Mailchimp, they already have great ways to manage your lists.
3) Have a minimal but clearly worded pop-up on your website that requests permission to collect cookies (if you do).
4) Display your contact info in an easy to find location and/or have it clearly stated at the top and/or bottom of your terms and privacy statements.
6) If you are working with 3rd parties (including us!) get to know their privacy policies in depth and how they are responding to the GDPR. Know what personal information you are transferring to them so if you customer asks, you can tell them!
7) Get to know the basics of encryption and data security on the internet. If you run a Shopify store, Shopify has taken care of all the security you need to keep your store data safe. However, it's good to read up on what this means exactly. Here's quick links to all the security info for platforms that we integrate with. If you host your own site, get in touch with your hoster and find out what they provide security-wise.
What we're doing at Art of Where
Art of Where has always taken data security seriously. Since we evolved from a very small team with a leader on the paranoid side, we incorporated many layers of security into our infrastructure long ago.
In order to prepare for the GDPR Art of Where is:
1). Updating our Terms & Conditions.
3). Verifying that all integrations with 3rd party services are secure and encrypted.
4). Putting together information to help our artists and drop shippers.
5). Limiting who has access to customer data within our organization.
What we have done already:
1). Verified what information we store, how we store it, and that our storage is secure.
2). Trained our staff about GDPR compliance.
3). Set up a dedicated email for privacy concerns which will be addressed by our Privacy Officer. Reach us at firstname.lastname@example.org
We'll also be paying close attention to the GDPR authorities as the policy comes into effect on May 25th, 2018. In case of adjustments, additions, or anything else, we want to be ready to react.
Remember, we're outlining basics in this post. Depending on how you are connecting with people online, there may be more for you to research! We are not experts on the GDPR so having your policies approved by a lawyer is essential.
Yes, the GDPR does make running your online business just a bit more complicated. We all know it's way more fun to finish your sparkle collage scan today than to watch youtube Explain it like I'm 5 videos (maybe podcast it instead and do both at the same time?). However, building trust and being transparent about data are amazing things that make the internet a safer place for everyone and encourage the growth of a healthy online community. I, personally, am grateful that the EU is taking privacy and data so seriously! It's important to take the time to research what the GDPR means for your online business.
Here are a few more links we found handy in our research:
Have great links to resources? Share them below!